ci: Move testing into ubuntu:26.04 containers for OpenSSL 3.5

[stefanberger]

Since swtpm now needs OpenSSL 3.5, move the testing into ubuntu:26.04 containers.

Summary by CodeRabbit

• Chores
  • CI now runs key build and coverage jobs inside Ubuntu 26.04 containers.
  • Build steps detect missing elevated permissions in containers and install required build tooling as needed.
  • Added an extra build job for an alternate build configuration to improve coverage of different build variants.
  • Coverage and component bootstrap steps updated for more reliable builds, including adjustments to a TPM-related component setup.

[coderabbitai]

Note

Reviews paused

It looks like this branch is under active development. To avoid overwhelming you with review comments due to an influx of new commits, CodeRabbit has automatically paused this review. You can configure this behavior by changing the reviews.auto_review.auto_pause_after_reviewed_commits setting.

Use the following commands to manage reviews:

• @coderabbitai resume to resume automatic reviews.
• @coderabbitai review to trigger a single review.

Use the checkboxes below for quick actions:

• ▶️ Resume reviews
• 🔍 Trigger review

📝 Walkthrough

Walkthrough

CI workflow jobs for Ubuntu builds and coveralls now run in ubuntu:26.04 containers, add conditional dependency installation when sudo is unavailable, and update autogen.sh options including dependency-tracking, coverage, and swtpm bootstrap flag/package adjustments.

Changes

CI environment upgrade to Ubuntu 26.04 containers

Layer / File(s)	Summary
New non-openssl-functions Ubuntu job .github/workflows/ci.yml	Adds a job that runs in container.image: ubuntu:26.04, checks for sudo before installing build dependencies, and runs autogen.sh --disable-use-openssl-functions.
Ubuntu build jobs in containers .github/workflows/ci.yml	Updates build-ubuntu-resolute to use container.image: ubuntu:26.04, wraps apt-get installs with a sudo-presence check, and changes autogen.sh to include --disable-dependency-tracking.
Coveralls job: container, sudo-guard, swtpm changes .github/workflows/ci.yml	Moves build-coveralls to container.image: ubuntu:26.04, applies the same conditional dependency installation, sets main autogen.sh flags to --enable-test-coverage --disable-dependency-tracking, and adjusts swtpm package list and autogen.sh options.

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Poem

🐇 I packed my tools in a container bright,
Hopped through builds in Ubuntu light.
If sudo sleeps, I fetch and feed,
Autogen blooms with every seed.
Coveralls hums — a tidy night!

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately describes the main change: moving CI testing into ubuntu:26.04 containers to support OpenSSL 3.5, which aligns perfectly with the file-level changes and PR objectives.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch stefanberger/ubuntu-26.04

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Line 54: The CI step uses a blocking package install command "sudo apt install
git" which will hang in non-interactive runs; update the command invocation to
run non-interactively by adding the assume-yes flag (e.g., change "sudo apt
install git" to include "-y") or use a non-interactive apt-get approach (e.g.,
"DEBIAN_FRONTEND=noninteractive apt-get install -y git") so the workflow never
prompts for confirmation.
- Around line 53-54: Ensure the package cache is always updated before
installing git: change the workflow shell logic so that you still check/ensure
sudo exists (the existing "if ! type -P sudo; then apt-get -y update && apt-get
-y install sudo; fi" behavior) but always run "apt-get update" (with sudo if
present) prior to "apt install git" -- e.g., after ensuring sudo, invoke "sudo
apt-get update" then "sudo apt-get install -y git" so git installation won't
fail in images where sudo already exists.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: e2c62a33-9607-4b2f-8382-3d9dbeecdbdc

📥 Commits

Reviewing files that changed from the base of the PR and between 06ec934 and 7c77122.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

⚠️ Potential issue | 🔴 Critical | ⚡ Quick win

Missing apt-get update when sudo already exists.

The current logic only runs apt-get update if sudo is missing (line 53), but git installation (line 54) executes unconditionally. In a fresh ubuntu:26.04 container where sudo is already present, the package cache will be stale or empty, causing the git installation to fail.

🔧 Proposed fix

-          if ! type -P sudo; then apt-get -y update && apt-get -y install sudo; fi
-          sudo apt install git
+          if ! type -P sudo; then apt-get -y update && apt-get -y install sudo; fi
+          sudo apt-get -y update
+          sudo apt-get -y install git

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	if ! type -P sudo; then apt-get -y update && apt-get -y install sudo; fi
	sudo apt install git
	if ! type -P sudo; then apt-get -y update && apt-get -y install sudo; fi
	sudo apt-get -y update
	sudo apt-get -y install git

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/ci.yml around lines 53 - 54, Ensure the package cache is
always updated before installing git: change the workflow shell logic so that
you still check/ensure sudo exists (the existing "if ! type -P sudo; then
apt-get -y update && apt-get -y install sudo; fi" behavior) but always run
"apt-get update" (with sudo if present) prior to "apt install git" -- e.g.,
after ensuring sudo, invoke "sudo apt-get update" then "sudo apt-get install -y
git" so git installation won't fail in images where sudo already exists.

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 53-56: The container branch of the CI step (the if ! type -P sudo;
then block) installs autotools but omits compiler and dev libs needed for
configure/make; update that apt-get -y install line (or add a follow-up apt-get
install) to include build-essential (or gcc/g++/make), libssl-dev and pkg-config
(and optionally libffi-dev) so commands like ./configure --with-openssl and make
succeed.
- Around line 27-29: The ubuntu:26.04 container used in the job (container:
image: ubuntu:26.04) lacks build dependencies required by autogen.sh and make
distcheck; add a step before running autogen.sh/make distcheck to run apt-get
update and install automake, autoconf, libtool, build-essential (gcc/g++/make),
pkg-config and libssl-dev (or the equivalent distro packages) so the build tools
are available in the container; update the CI job to run a setup step (e.g.,
"Install build dependencies") that executes apt-get install -y automake autoconf
libtool build-essential pkg-config libssl-dev and any needed prerequisites
before invoking autogen.sh and make distcheck.
- Around line 9-11: CI container jobs using container.image: ubuntu:26.04
(notably build-ubuntu-jammy, build-ubuntu-noble and build-coveralls) are missing
required build deps before running ./autogen.sh; update each job to install the
toolchain and libraries prior to invoking ./autogen.sh (or use a prebuilt image)
— at minimum apt-get install build-essential pkg-config libssl-dev automake
autoconf libtool (and ensure gcc/g++/make are present) so autoreconf/AC_PROG_CC
and the --with-openssl configure checks succeed.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: b0026f8b-c9cc-4ba2-9e44-e14665857ad9

📥 Commits

Reviewing files that changed from the base of the PR and between 7c77122 and 04405d0.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/ci.yml:
- Around line 8-11: Two jobs share the same job id build-ubuntu-resolute causing
one to be dropped; rename one of the duplicate job ids to a unique identifier
(e.g., build-ubuntu-resolute-26-04 or build-ubuntu-resolute-autogen2) and update
any references to that job (needs/depends-on) so workflow validation succeeds
and both Ubuntu 26.04 autogen.sh variants run; ensure the container:image
ubuntu:26.04 job block remains otherwise unchanged.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: d37392e7-4efa-4249-8716-bfbf9a97ffb2

📥 Commits

Reviewing files that changed from the base of the PR and between 04405d0 and 843aa8f.

📒 Files selected for processing (1)

• .github/workflows/ci.yml